[Yandex Cloud documentation](../../index.md) > [Yandex Smart Web Security](../index.md) > [Step-by-step guides](index.md) > Configuring logs via Application Load Balancer

# Configuring logging via Application Load Balancer

To write logs, Smart Web Security integrates with [Cloud Logging](../../logging/index.md) and [Audit Trails](../../audit-trails/index.md). They solve different tasks:

* Cloud Logging: Analyzes HTTP requests and triggered rules in security, WAF, and ARL profiles.
* Audit Trails: Collects Smart Web Security audit events. These are not full Smart Web Security logs but records of security events and actions with resources.

## Audit logs {#audit-events}

There are two types of events in Audit Trails:

* [Management events](../at-ref.md#control-plane-events), which include actions related to Yandex Cloud resource configuration, such as creating or deleting a security profile.
* [Data events](../at-ref.md#data-plane-events), which include actions performed on resources within Yandex Cloud services, e.g., triggering a rule from a WAF profile.

You can log events to a bucket in Object Storage, log group in Cloud Logging, or data stream in Data Streams.

## Logs of HTTP requests and triggered rules {#requests-logging}

There are two logging options available: via Smart Web Security and via the Application Load Balancer L7 load balancer the security profile is connected to. Logging via Smart Web Security provides more analysis options than logging via Application Load Balancer. Logs are written to a log group in Cloud Logging.

Log analysis enables you to configure and monitor Smart Web Security performance:

* Test security rules, WAF, and ARL in **Logging only** (dry run) mode. In this mode, the system does not block user requests but logs rule matches.
* View the number of blocked and allowed requests, evaluate and adjust rule performance.
* View detailed request information and identify false positives.

In some cases, traffic may be blocked during attacks. When this happens, the logs will include the `sws_service_rule` [service rule](../concepts/rules.md#service-rule) label.

## Working with logs {#configure-logging}

To get started with Smart Web Security logs:

1. [Enable and set up logging](#enable-logging).
1. [View and filter logs](#view-logs).

### Enable logging {#enable-logging}

{% note info %}

To manage [logging](../concepts/logging.md) in the L7 load balancer, you need the following roles:

- [alb.editor](../../application-load-balancer/security/index.md#alb-editor) for the [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) containing the security profile.
- [logging.writer](../../logging/security/index.md#logging-writer) for the [log group](../../logging/concepts/log-group.md) receiving the logs.

To view logs, you need the [logging.viewer](../../logging/security/index.md#logging-viewer) role for the log group.

{% endnote %}

{% list tabs group=instructions %}

- Cloud Logging {#logging}

  1. In the [management console](https://console.yandex.cloud), select the folder containing the Smart Web Security profile.
  1. Navigate to **Application Load Balancer**.
  1. In the list, select the load balancer linked to the security profile.
  1. Click ![image](../../_assets/console-icons/ellipsis.svg) and select **Edit**.
  1. Under **Log settings**:
     1. Enable **Write logs**.
     1. Select or create a Cloud Logging [log group](../../logging/concepts/log-group.md) to store your load balancer logs.
     1. Click **Add discard rule** and configure its [settings](../../application-load-balancer/concepts/application-load-balancer.md#discard-logs-rules).
  1. Click **Save**.

  For other ways to enable logging, see [Setting up L7 load balancer logging](../../application-load-balancer/operations/application-load-balancer-manage-logs.md).

- Audit Trails {#at}

  You can log Audit Trails events to a bucket in Object Storage, log group in Cloud Logging, data stream in Data Streams, or bus in EventRouter. In this guide, we will set up logging of audit events to a log group.

  1. In the [management console](https://console.yandex.cloud), select the folder containing the Smart Web Security profile.
  1. Navigate to **Audit Trails**.
  1. Click **Create trail**.
  1. Enter a name for the trail, e.g., `trail-sws`.
  1. Under **Destination**, select **Cloud Logging** as the destination object.
  1. Select or create a Cloud Logging [log group](../../logging/concepts/log-group.md) to store Smart Web Security events.
  1. Under **Collecting data events**, enable event collection and select **Smart Web Security**.

      For the rest of the settings in this section, leave the default values. The system will log all data events from Smart Web Security in the current folder, ignoring management events.
  
  1. Under **Service account**, create or select an account with the `logging.writer` role.
  1. Click **Create**.

  For other ways to enable event logging, see [Creating a trail to upload audit logs](../../audit-trails/operations/create-trail.md).

{% endlist %}

### Viewing logs {#view-logs}

{% list tabs group=instructions %}

- Cloud Logging {#logging}

  1. In the [management console](https://console.yandex.cloud), select the folder containing the Smart Web Security profile.
  1. Navigate to **Application Load Balancer**.
  1. Select **Logs**.
  1. Select the number of messages per page and the time interval: 1 hour, 3 hours, 1 day, 1 week, 2 weeks.
  1. In the **Query** row, specify you query using the [filter expression language](../../logging/concepts/filter.md) and click **Run**.

     You can find examples of queries below.

  1. To view log details, expand it.

  For other ways to view logs, see [Viewing L7 load balancer logs](../../application-load-balancer/operations/application-load-balancer-get-logs.md) and [Reading records](../../logging/operations/read-logs.md).


  ## Examples of preset log filters {#filtration}

  Logs are delivered in JSON format. A single log entry maps to a single client request to the L7 load balancer.

  Requests for log filtering are based on the relationship between [Smart Web Security](../concepts/profiles.md#profile-rules-schema) profiles and rules. You can view logs for active, running rules, or rules in **Logging only** (dry run) mode.

  ### Filters for active rules {#active-rule-filters}

  * Show requests blocked by basic rules based on specific [conditions](../concepts/conditions.md), e.g., by IP list or region:
    ```
    json_payload.smartwebsecurity.matched_rule.rule_type = RULE_CONDITION and json_payload.smartwebsecurity.matched_rule.verdict = DENY
    ```
    
  * Show requests that have triggered the [Smart Protection](../concepts/rules.md#smart-protection-rules) rules with a CAPTCHA challenge:
    ```
    json_payload.smartwebsecurity.matched_rule.rule_type = SMART_PROTECTION and json_payload.smartwebsecurity.matched_rule.verdict = CAPTCHA
    ```

  * Show requests blocked based on the [WAF](../concepts/waf.md) profile, i.e., by the security profile WAF rules:
    ```
    json_payload.smartwebsecurity.matched_rule.rule_type = WAF and json_payload.smartwebsecurity.matched_rule.verdict = DENY
    ```

  * Show requests blocked by the [ARL](../concepts/arl.md) profile rules:
    ```
    json_payload.smartwebsecurity.advanced_rate_limiter.verdict = DENY
    ```

  * Show requests which triggered a specific ARL rule, `arl-rule-1`:
    ```
    json_payload.smartwebsecurity.advanced_rate_limiter.verdict = DENY and json_payload.smartwebsecurity.advanced_rate_limiter.applied_quota_name = "arl-rule-1"
    ```

  You can similarly add other conditions to the filters and adjust them to fit your traffic flow.

  ### Filters for rules in logging mode {#dry-run-filters}

  * Show requests that have triggered the [Smart Protection](../concepts/rules.md#smart-protection-rules) rules with a CAPTCHA challenge:
    
    ```
    json_payload.smartwebsecurity.dry_run_matched_rule.rule_type = SMART_PROTECTION and json_payload.smartwebsecurity.dry_run_matched_rule.verdict = CAPTCHA
    ```

  * View requests that have triggered the ARL rules (limits on requests).
    
    For the **Logging only** mode, you cannot use a request filtered by the `DENY` verdict, because this mode does not block requests. The rule verdict will be `ALLOW` even after the limit is exceeded. To debug the rules, use the `dry_run_exceeded_quota_names` parameter. This parameter shows which ARL rules were triggered by the request. If this parameter contains no rules, no limits were exceeded.

    Here is an example of a log fragment with the `dry_run_exceeded_quota_names` parameter:

    ```text
    "smartwebsecurity": {
      "advanced_rate_limiter": {
        "applied_quota_name": "",
        "dry_run_exceeded_quota_names": [
          "<rule_name_1>",
          "<rule_name_2>"
        ],
        "profile_id": "<profile_id>",
        "verdict": "ALLOW"
      },
    ```

  In this fragment, limits were exceeded for the `<rule_name_1>` and `<rule_name_2>` rules in the `<profile_id>` profile.

- Audit Trails {#at}

  1. In the [management console](https://console.yandex.cloud), select the folder containing the Smart Web Security profile.
  1. Navigate to **Cloud Logging**.
  1. Select the log group receiving your Audit Trails events.
  1. Select the number of messages per page and the time interval: 1 hour, 3 hours, 1 day, 1 week, 2 weeks.
  1. In the **Query** field, specify you query using the [filter expression language](../../logging/concepts/filter.md) and click **Run**.

     Audit Trails events are written in JSON format. To find a specific [event](../at-ref.md#data-plane-events), provide its name in the following format:

     ```
     yandex.cloud.audit.smartwebsecurity.<event_name>
     ```

     For examples of how to create queries, see [Examples of requests for searching events in audit logs](../../audit-trails/tutorials/search-events-audit-logs/examples.md).

  1. To view log details, expand it.

For other ways to view logs, see [Viewing L7 load balancer logs](../../application-load-balancer/operations/application-load-balancer-get-logs.md).

{% endlist %}